Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Deployment

For our first pass, we would like to set up 3 machines as shown in the diagram above.
We expect that we'll have to do some experimenting to get these "right".
Once we are happy with these 3 VMs and the "application assembly",
we plan to clone the VMs to create a QA, and a PROD environment.
Is there a way to clone the entire assembly?
Will we have to tweak the firewall settings each time we clone?

Our primitive datacenter BCP plan is as follows.
Whenever we change a VM configuration, we take copy the VM and store it offsite (at the city?).
Should the datacenter fail badly (fire, etc), we provide carinet with the VMs,
and carinet brings up the VMs at another location.
Does this sound sane?
Note that we handle DB backups separately.

We plan to move these VMs to our datacenter by midyear 2011.
We want to insure that these VMs are portable.
We expect to do a simple VM copy and do not need v-motion.
Is this reasonable?

Carinet Responsibilities

  • Provision hardware
  • Provide 3 VMs using barebones(question) VMWare version x.x (todo - need version number)
  • install Centos 5 64 bit on each VM
  • install Apache web server on the web server VM
  • install package manager (yum or Apt-get)

All other software will be installed by city employees.

Security

We assume the following.

  • The data center is physically secure.
  • VMware installation has latest kernel updates/patches
    Please let us know if any of these assumptions is incorrect.
SE Linux

Do not enable SE Linux.

SSH Access

All VMs shall be accessible via ssh.
The city will provide public keys for those that will have linux root access.

All services shall be disabled unless otherwise requested.

The following shall be disabled:

  • NFS
  • FTP
  • incoming mail

The following shall be enabled.

  • outgoing mail
  • SSH
  • firewall (see below)
Firewall Configuration

Web Server VM
Allow access from

  • ssh
  • port 80

Geo Server VM
Allow access from

  • ssh
  • port 8080 from web server

DB Server VM
Allow access from

  • ssh
  • port 5432 from web server
  • port 5432 from geo server
TCP Wrapper

Can we restrict port level access?

  • web
  1. Allow request from all host on port 80
  2. Allow ssh request from all
  3. Deny requests on all other ports
  • geo
  1. Allow request from web server on port 8080
  2. Allow ssh request from all
  3. Deny request from all other host on port 8080
  • db
  1. Allow request from web & geo server on port 5432
  2. Allow ssh request from all
  3. Deny request from all other host on port 5432
SFGov Responsibilites
Install application software including the following.

You will need to see the SVN readme for all the excruciating details.

Geoserver

  • java virutal machine
  • tomcat

Database

  • GEOS
  • proj4
  • postresql with postgis

Web Server

  • gdal
  • python
  • django
  • geo-django
linux admin
  • set up appropriate new linux users
    • Password & Access security
    • use of public/private keys
  • limit root access
  • use sudo as needed
  • provide file system security
    • umask settings
    • setting up appropriate file permissions

Tests

Test the following application/server connection pairs via SSH tunnel

  1. browser/geoserver - localhost:8080
  2. pgadmin/database- localhost:5432

Test the EAS application connection

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.